[SCA] VeChain / BaseMarketplace /Jun2024

Vechain Foundation

Audit name:

[SCA] VeChain / BaseMarketplace /Jun2024

Date:

Jul 26, 2024

Table of Content

→Introduction

→Audit Summary

→System Overview

→Risks

→Findings

→Appendix 1. Severity Definitions

→Appendix 2. Scope

→Disclaimer

Want a comprehensive audit report like this?

Introduction

We express our gratitude to the Vechain Foundation team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.

MaaS(Marketplace as a Service) is a VeChain Foundation project that allows enterprises to create their own decentralized marketplace to manage the trading of NFTs via fixed price listing, offers, and auctions.

Document
Name	Smart Contract Code Review and Security Analysis Report for Vechain Foundation
Audited By	Andy Cho
Approved By	Ataberk Yavuzer
Website	https://vechain.org→
Changelog	02/07/2024 - Preliminary Report
	19/07/2024 - Secondary Report
	26/07/2024 - Final Report
Platform	VeChainThor
Language	Solidity
Tags	Marketplace
Methodology	https://hackenio.cc/sc_methodology→

Document
Name
Smart Contract Code Review and Security Analysis Report for Vechain Foundation
Audited By
Andy Cho
Approved By
Ataberk Yavuzer
Website
https://vechain.org→
Changelog
02/07/2024 - Preliminary Report
19/07/2024 - Secondary Report
26/07/2024 - Final Report
Platform
VeChainThor
Language
Solidity
Tags
Marketplace
Methodology
https://hackenio.cc/sc_methodology→

Review Scope
Repository	https://github.com/vechain/nft-maas-sc→
Commit	cc02ec0

Review Scope
Repository
https://github.com/vechain/nft-maas-sc→
Commit
cc02ec0

Audit Summary

9Total Findings

7Resolved

2Accepted

0Mitigated

1high

4medium

4observation

The system users should acknowledge all the risks summed up in the risks section of the report

Documentation quality

Functional requirements are provided.
Technical description is provided.

Code quality

The development environment is configured.

Test coverage

Code coverage of the project is 83.33% (branch coverage).

Deployment and basic user interactions are covered with tests.
Negative case coverage is missed.
Setter function coverage is missed.

System Overview

BidAuction — Handles NFT auctions via ERC20 and VET (native tokens).

FixedPriceNonCustodial — Handles NFT listings with fixed prices via ERC20 and VET (native tokens).

OfferContractVIP180 — Handles NFT offers just in ERC20 to use a wrapped version of VET (vVET).

Privileged roles

DEFAULT_ADMIN_ROLE — This role belongs to the foundation and will be assigned to foundation-managed wallets.
OPERATOR_ROLE — This role will be assigned to all marketplace operators (enterprise) and will also be assigned to a hot-wallet on a service of the backend.

Risks

Fee-on-transfer tokens: The contracts support a payment method in ERC20 and fee-on-transfer tokens should not be used as a payment token as they are not compatible with marketplaces.

Flexibility and Risk of Contract Upgrades: The project's contracts are upgradeable, allowing the admin to update the contract logic at any time. While this provides flexibility for addressing issues and evolving the project, it also introduces risks if upgrade processes are not properly managed or secured, potentially allowing for unauthorized changes that could compromise the project's integrity and security.

Centralized Control: The project is fully or partially centralized. This centralization can lead to vulnerabilities in decision-making and operational processes, making the system more susceptible to targeted attacks or manipulation.

Findings

Code ―	Title	Status	Severity
F-2024-4096	Impossible to Create Listings with the Same tokenID for Different NFTs	fixed	High
F-2024-4333	Blacklisted Bidders Can Break The Bid/Cancel Logic	accepted	Medium
F-2024-4332	Outdated Price Usage due to Lack of Price Oracle Consistency	fixed	Medium
F-2024-4098	purchaseMany() Function Requires Users to Provide the VET in an Amount Equal to the Sale Price	fixed	Medium
F-2024-4097	Incorrect Value is Passed to the Prototype	fixed	Medium
F-2024-4111	Unused Variable	accepted	Observation
F-2024-4110	Implementation Contract Can Be Initialized by an External Actor	fixed	Observation
F-2024-4100	Confusing Error Message	fixed	Observation
F-2024-4099	Redundant Storage Reads Leading to Gas Overhead	fixed	Observation

1-9 of 9 findings

Identify vulnerabilities in your smart contracts.

Appendix 1. Severity Definitions

When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.

Reference on how risk scoring is done is available through the repository in our Github organization:

hknio/severity-formula →

Severity	Description
Critical	Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.
High	High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.
Medium	Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.
Low	Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.

Severity
Critical
Description
Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.
Severity
High
Description
High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.
Severity
Medium
Description
Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.
Severity
Low
Description
Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.

Appendix 2. Scope

The scope of the project includes the following smart contracts from the provided repository:

Scope Details
Repository	https://github.com/vechain/nft-maas-sc→
Commit	cc02ec0c21ed807919dde99541efd37f3e539fc6
Whitepaper	N/A
Technical Requirements	documentation.md→

Scope Details
Repository
https://github.com/vechain/nft-maas-sc→
Commit
cc02ec0c21ed807919dde99541efd37f3e539fc6
Whitepaper
N/A
Technical Requirements
documentation.md→

Contracts in Scope

contracts

BidAuction.sol - contracts/BidAuction.sol

FixedPriceNonCustodial.sol - contracts/FixedPriceNonCustodial.sol

OfferContractVIP180.sol - contracts/OfferContractVIP180.sol

BaseMarketplaceContract.sol - contracts/BaseMarketplaceContract.sol

NftGateRestriction.sol - contracts/NftGateRestriction.sol

RestrictableMarketplace.sol - contracts/RestrictableMarketplace.sol

Disclaimer

Hacken Disclaimer

Technical Disclaimer

Hacken Extractor